diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/Changelog | 131 | ||||
| -rw-r--r-- | doc/FEATURES | 1 | ||||
| -rw-r--r-- | doc/README | 2 | ||||
| -rw-r--r-- | doc/TODO | 1 | ||||
| -rw-r--r-- | doc/example.conf.in | 32 | ||||
| -rw-r--r-- | doc/libunbound.3.in | 4 | ||||
| -rw-r--r-- | doc/unbound-anchor.8.in | 2 | ||||
| -rw-r--r-- | doc/unbound-checkconf.8.in | 2 | ||||
| -rw-r--r-- | doc/unbound-control.8.in | 8 | ||||
| -rw-r--r-- | doc/unbound-host.1.in | 2 | ||||
| -rw-r--r-- | doc/unbound.8.in | 4 | ||||
| -rw-r--r-- | doc/unbound.conf.5.in | 60 | ||||
| -rw-r--r-- | doc/unbound.doxygen | 6 |
13 files changed, 231 insertions, 24 deletions
diff --git a/doc/Changelog b/doc/Changelog index 1622dd2b5e27..eea220c414e6 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,8 +1,137 @@ +2 February 2021: Wouter + - branch-1.13.1 is created, with release-1.13.1rc1 tag. + - Fix dynlibmod link on rhel8 for -ldl inclusion. + - Fix windows dependency on libssp.dll because of default stack + protector in mingw. + - Fix indentation of root anchor for use by windows install script. + +1 February 2021: George + - Attempt to fix NULL keys in the reuse_tcp tree; relates to #411. + +29 January 2021: Wouter + - Fix for doxygen 1.8.20 compatibility. + +28 January 2021: Wouter + - Annotate that we ignore the return value of if_indextoname. + - Fix to use correct type for label count in rpz routine. + - Fix empty clause warning in config_file nsid parse. + - Fix to use correct type for label count in ipdnametoaddr rpz routine. + - Fix empty clause warning in edns pass for padding. + - Fix fwd ancil test post script when not supported. + +26 January 2021: George + - Merge PR #408 from fobser: Prevent a few more yacc clashes. + - Merge PR #275 from Roland van Rijswijk-Deij: Add feature to return the + original instead of a decrementing TTL ('serve-original-ttl') + - Merge PR #355 from noloader: Make ICANN Update CA and DS Trust Anchor + static data. + - Ignore cache blacklisting when trying to reply with expired data from + cache (#394). + +26 January 2021: Wouter + - Fix compile of unbound-dnstap-socket without dnstap installed. + +22 January 2021: Willem + - Padding of queries and responses with DNS over TLS as specified in + RFC7830 and RFC8467. + +22 January 2021: George + - Fix TTL of SOA record for negative answers (localzone and + authzone data) to be the minimum of the SOA TTL and the SOA.MINIMUM. + +19 January 2021: Willem + - Support for RFC5001: DNS Name Server Identifier (NSID) Option + with the nsid: option in unbound.conf + +18 January 2021: Wouter + - Fix #404: DNS query with small edns bufsize fail. + - Fix declaration before statement and signed comparison warning in + dns64. + +15 January 2021: Wouter + - Merge #402 from fobser: Implement IPv4-Embedded addresses according + to RFC6052. + +14 January 2021: Wouter + - Fix for #93: dynlibmodule import library is named libunbound.dll.a. + +13 January 2021: Wouter + - Merge #399 from xiangbao227: The lock of lruhash table should + unlocked after markdel entry. + - Fix for #93: dynlibmodule link fix for Windows. + +12 January 2021: Wouter + - Fix #397: [Feature request] add new type always_null to local-zone + similar to always_nxdomain. + - Fix so local zone types always_nodata and always_deny can be used + from the config file. + +8 January 2021: Wouter + - Merge PR #391 from fhriley: Add start_time to reply callbacks so + modules can compute the response time. + - For #391: use struct timeval* start_time for callback information. + - For #391: fix indentation. + - For #391: more double casts in python start time calculation. + - Add comment documentation. + - Fix clang analysis warning. + +6 January 2021: Wouter + - Fix #379: zone loading over HTTP appears to have buffer issues. + - Merge PR #395 from mptre: add missing null check. + - Fix #387: client-subnet-always-forward seems to effectively bypass + any caching? + +5 January 2021: Wouter + - Fix #385: autoconf 2.70 impacts unbound build + - Merge PR #375 by fhriley: Add rpz_enable and rpz_disable commands + to unbound-control. + +4 January 2021: Wouter + - For #376: Fix that comm point event is not double removed or double + added to event map. + - iana portlist updated. + +16 December 2020: George + - Fix error cases when udp-connect is set and send() returns an error + (modified patch from Xin Li @delphij). + +11 December 2020: Wouter + - Fix #371: unbound-control timeout when Unbound is not running. + - Fix to squelch permission denied and other errors from remote host, + they are logged at higher verbosity but not on low verbosity. + - Merge PR #335 from fobser: Sprinkle in some static to prevent + missing prototype warnings. + - Merge PR #373 from fobser: Warning: arithmetic on a pointer to void + is a GNU extension. + - Fix missing prototypes in the code. + +3 December 2020: Wouter + - make depend. + - iana portlist updated. + +2 December 2020: Wouter + - Fix #360: for the additionally reported TCP Fast Open makes TCP + connections fail, in that case we print a hint that this is + happening with the error in the logs. + - Fix #356: deadlock when listening tcp. + - Fix unbound-dnstap-socket to not use log routine from interrupt + handler and not print so frequently when invoked in sequence. + - Fix on windows to ignore connection failure on UDP, unless verbose. + - Fix for #283: fix stream reuse and tcp fast open. + - Fix update, with write event check with streamreuse and fastopen. + +1 December 2020: Wouter + - Fix #358: Squelch udp connect 'no route to host' errors on low + verbosity. + 30 November 2020: Wouter - Fix assertion failure on double callback when iterator loses interest in query at head of line that then has the tcp stream not kept for reuse. - - tag for the 1.13.0rc4 release. + - tag for the 1.13.0rc4 release. This also became the 1.13.0 + release version on 3 dec 2020 with the streamreuse and fastopen + fix from 2 dec 2020. The code repo continues for 1.13.1 in + development. 27 November 2020: Wouter - Fix compile warning for type cast in http2_submit_dns_response. diff --git a/doc/FEATURES b/doc/FEATURES index 076988ea9127..8d69aba9b1e1 100644 --- a/doc/FEATURES +++ b/doc/FEATURES @@ -39,6 +39,7 @@ RFC 4343: case insensitive handling of domain names. RFC 4509: SHA256 DS hash. RFC 4592: wildcards. RFC 4697: No DNS Resolution Misbehavior. +RFC 5001: DNS Name Server Identifier (NSID) Option RFC 5011: update of trust anchors with timers. RFC 5155: NSEC3, NSEC3PARAM types RFC 5358: reflectors-are-evil: access control list for recursive diff --git a/doc/README b/doc/README index e864bb188e33..b7a31b8b1eb9 100644 --- a/doc/README +++ b/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.13.0 +README for Unbound 1.13.1 Copyright 2007 NLnet Labs http://unbound.net @@ -14,7 +14,6 @@ o (option) store primed key data in a overlaid keyhints file (sort of like draft o windows version, auto update feature, a query to check for the version. o command the server with TSIG inband. get-config, clearcache, get stats, get memstats, get ..., reload, clear one zone from cache -o NSID rfc 5001 support. o timers rfc 5011 support. o Treat YXDOMAIN from a DNAME properly, in iterator (not throwaway), validator. o make timeout backoffs randomized (a couple percent random) to spread traffic. diff --git a/doc/example.conf.in b/doc/example.conf.in index 82ccaa4dd9f9..af33ee4a6a9f 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.13.0. +# See unbound.conf(5) man page, version 1.13.1. # # this is a comment. @@ -377,6 +377,9 @@ server: # the version to report. Leave "" or default to return package version. # version: "" + # NSID identity (hex string, or "ascii_somestring"). default disabled. + # nsid: "aabbccdd" + # the target fetch policy. # series of integers describing the policy per dependency depth. # The number of values in the list determines the maximum dependency @@ -388,7 +391,7 @@ server: # target-fetch-policy: "3 2 1 0 0" # Harden against very small EDNS buffer sizes. - # harden-short-bufsize: no + # harden-short-bufsize: yes # Harden against unseemly large queries. # harden-large-queries: no @@ -595,6 +598,13 @@ server: # A recommended value is 1800. # serve-expired-client-timeout: 0 + # Return the original TTL as received from the upstream name server rather + # than the decrementing TTL as stored in the cache. Enabling this feature + # does not impact cache expiry, it only changes the TTL unbound embeds in + # responses to queries. Note that enabling this feature implicitly disables + # enforcement of the configured minimum and maximum TTL. + # serve-original-ttl: no + # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. # val-log-level: 0 @@ -704,8 +714,10 @@ server: # o inform acts like transparent, but logs client IP address # o inform_deny drops queries and logs client IP address # o inform_redirect redirects queries and logs client IP address - # o always_transparent, always_refuse, always_nxdomain, resolve in - # that way but ignore local data for that name + # o always_transparent, always_refuse, always_nxdomain, always_nodata, + # always_deny resolve in that way but ignore local data for + # that name + # o always_null returns 0.0.0.0 or ::0 for any name in the zone. # o noview breaks out of that view towards global local-zones. # # defaults are localhost address, reverse for 127.0.0.1 and ::1 @@ -753,6 +765,12 @@ server: # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" + # Pad responses to padded queries received over TLS + # pad-responses: yes + + # Padded responses will be padded to the closest multiple of this size. + # pad-responses-block-size: 468 + # Use the SNI extension for TLS connections. Default is yes. # Changing the value requires a reload. # tls-use-sni: yes @@ -775,6 +793,12 @@ server: # Add system certs to the cert bundle, from the Windows Cert Store # tls-win-cert: no + # Pad queries over TLS upstreams + # pad-queries: yes + + # Padded queries will be padded to the closest multiple of this size. + # pad-queries-block-size: 128 + # Also serve tls on these port numbers (eg. 443, ...), by listing # tls-additional-port: portno for each of the port numbers. diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in index 80f7335be05e..519e5eced1d7 100644 --- a/doc/libunbound.3.in +++ b/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Dec 3, 2020" "NLnet Labs" "unbound 1.13.0" +.TH "libunbound" "3" "Feb 9, 2021" "NLnet Labs" "unbound 1.13.1" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -44,7 +44,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.13.0 functions. +\- Unbound DNS validating resolver 1.13.1 functions. .SH "SYNOPSIS" .B #include <unbound.h> .LP diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in index 564420da04a7..5ac5ae7e0326 100644 --- a/doc/unbound-anchor.8.in +++ b/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Dec 3, 2020" "NLnet Labs" "unbound 1.13.0" +.TH "unbound-anchor" "8" "Feb 9, 2021" "NLnet Labs" "unbound 1.13.1" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in index ab22ad0b676e..8c5e4048e085 100644 --- a/doc/unbound-checkconf.8.in +++ b/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Dec 3, 2020" "NLnet Labs" "unbound 1.13.0" +.TH "unbound-checkconf" "8" "Feb 9, 2021" "NLnet Labs" "unbound 1.13.1" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in index f63a2f49cee4..b32022dcba13 100644 --- a/doc/unbound-control.8.in +++ b/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Dec 3, 2020" "NLnet Labs" "unbound 1.13.0" +.TH "unbound-control" "8" "Feb 9, 2021" "NLnet Labs" "unbound 1.13.1" .\" .\" unbound-control.8 -- unbound remote control manual .\" @@ -305,6 +305,12 @@ Transfer the auth zone from master. The auth zone probe sequence is started, where the masters are probed to see if they have an updated zone (with the SOA serial check). And then the zone is transferred for a newer zone version. .TP +.B rpz_enable \fIzone\fR +Enable the RPZ zone if it had previously been disabled. +.TP +.B rpz_enable \fIzone\fR +Disable the RPZ zone. +.TP .B view_list_local_zones \fIview\fR \fIlist_local_zones\fR for given view. .TP diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in index e0cc704d39df..173c72bfe103 100644 --- a/doc/unbound-host.1.in +++ b/doc/unbound-host.1.in @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Dec 3, 2020" "NLnet Labs" "unbound 1.13.0" +.TH "unbound\-host" "1" "Feb 9, 2021" "NLnet Labs" "unbound 1.13.1" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/doc/unbound.8.in b/doc/unbound.8.in index c012e379eb40..a62433e70cab 100644 --- a/doc/unbound.8.in +++ b/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Dec 3, 2020" "NLnet Labs" "unbound 1.13.0" +.TH "unbound" "8" "Feb 9, 2021" "NLnet Labs" "unbound 1.13.1" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.13.0. +\- Unbound DNS validating resolver 1.13.1. .SH "SYNOPSIS" .B unbound .RB [ \-h ] diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index a244eee7a70e..1556374f71a5 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Dec 3, 2020" "NLnet Labs" "unbound 1.13.0" +.TH "unbound.conf" "5" "Feb 9, 2021" "NLnet Labs" "unbound 1.13.1" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -564,6 +564,25 @@ and that is the default. Set the list of ciphersuites to allow when serving TLS. This is for newer TLS 1.3 connections. Use "" for defaults, and that is the default. .TP +.B pad\-responses: \fI<yes or no> +If enabled, TLS serviced queries that contained an EDNS Padding option will +cause responses padded to the closest multiple of the size specified in +\fBpad\-responses\-block\-size\fR. +Default is yes. +.TP +.B pad\-responses\-block\-size: \fI<number> +The block size with which to pad responses serviced over TLS. Only responses +to padded queries will be padded. +Default is 468. +.TP +.B pad\-queries: \fI<yes or no> +If enabled, all queries sent over TLS upstreams will be padded to the closest +multiple of the size specified in \fBpad\-queries\-block\-size\fR. +Default is yes. +.TP +.B pad\-queries\-block\-size: \fI<number> +The block size with which to pad queries sent over TLS upstreams. +Default is 128. .B tls\-use\-sni: \fI<yes or no> Enable or disable sending the SNI extension on TLS connections. Default is yes. @@ -819,6 +838,11 @@ If enabled version.server and version.bind queries are refused. Set the version to report. If set to "", the default, then the package version is returned. .TP +.B nsid:\fR <string> +Add the specified nsid to the EDNS section of the answer when queried +with an NSID EDNS enabled packet. As a sequence of hex characters or +with ascii_ prefix and then an ascii string. +.TP .B hide\-trustanchor: \fI<yes or no> If enabled trustanchor.unbound queries are refused. .TP @@ -839,9 +863,8 @@ closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour rumoured to be closer to that of BIND 8. .TP .B harden\-short\-bufsize: \fI<yes or no> -Very small EDNS buffer sizes from queries are ignored. Default is off, since -it is legal protocol wise to send these, and unbound tries to give very -small answers to these queries, where possible. +Very small EDNS buffer sizes from queries are ignored. Default is on, as +described in the standard. .TP .B harden\-large\-queries: \fI<yes or no> Very large queries are ignored. Default is off, since it is legal protocol @@ -1163,6 +1186,19 @@ responding with expired data. A recommended value per RFC 8767 is 1800. Setting this to 0 will disable this behavior. Default is 0. .TP +.B serve\-original\-ttl: \fI<yes or no> +If enabled, unbound will always return the original TTL as received from +the upstream name server rather than the decrementing TTL as +stored in the cache. This feature may be useful if unbound serves as a +front-end to a hidden authoritative name server. Enabling this feature does +not impact cache expiry, it only changes the TTL unbound embeds in responses to +queries. Note that enabling this feature implicitly disables enforcement of +the configured minimum and maximum TTL, as it is assumed users who enable this +feature do not want unbound to change the TTL obtained from an upstream server. +Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are +ignored. +Default is "no". +.TP .B val\-nsec3\-keysize\-iterations: \fI<"list of values"> List of keysize and iteration count values, separated by spaces, surrounded by quotes. Default is "1024 150 2048 500 4096 2500". This determines the @@ -1231,7 +1267,7 @@ address space are not validated. This is usually required whenever Configure a local zone. The type determines the answer to give if there is no match from local\-data. The types are deny, refuse, static, transparent, redirect, nodefault, typetransparent, inform, inform_deny, -inform_redirect, always_transparent, always_refuse, always_nxdomain, noview, +inform_redirect, always_transparent, always_refuse, always_nxdomain, always_null, noview, and are explained below. After that the default settings are listed. Use local\-data: to enter data into the local zone. Answers for local zones are authoritative DNS answers. By default the zones are class IN. @@ -1305,6 +1341,17 @@ Like refuse, but ignores local data and refuses the query. \h'5'\fIalways_nxdomain\fR Like static, but ignores local data and returns nxdomain for the query. .TP 10 +\h'5'\fIalways_nodata\fR +Like static, but ignores local data and returns nodata for the query. +.TP 10 +\h'5'\fIalways_deny\fR +Like deny, but ignores local data and drops the query. +.TP 10 +\h'5'\fIalways_null\fR +Always returns 0.0.0.0 or ::0 for every name in the zone. Like redirect +with zero data for A and AAAA. Ignores local data in the zone. Used for +some block lists. +.TP 10 \h'5'\fInoview\fR Breaks out of that view and moves towards the global local zones for answer to the query. If the view first is no, it'll resolve normally. If view first @@ -2033,7 +2080,8 @@ Specify whether the ECS address check (configured using query contains an ECS record, or only for queries for which the ECS record is generated using the querier address (and therefore did not contain ECS data in the client query). If enabled, the address check is skipped when the client -query contains an ECS record. Default is no. +query contains an ECS record. And the lookup in the regular cache is skipped. +Default is no. .TP .B max\-client\-subnet\-ipv6: \fI<number>\fR Specifies the maximum prefix length of the client source address we are willing diff --git a/doc/unbound.doxygen b/doc/unbound.doxygen index 45f49b36722e..4c32d89435ca 100644 --- a/doc/unbound.doxygen +++ b/doc/unbound.doxygen @@ -1143,7 +1143,7 @@ COMPACT_LATEX = NO # by the printer. Possible values are: a4, a4wide, letter, legal and # executive. If left blank a4wide will be used. -PAPER_TYPE = a4wide +#PAPER_TYPE = a4wide # The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX # packages that should be included in the LaTeX output. @@ -1451,7 +1451,7 @@ EXTERNAL_GROUPS = YES # The PERL_PATH should be the absolute path and name of the perl script # interpreter (i.e. the result of `which perl'). -PERL_PATH = /usr/bin/perl +#PERL_PATH = /usr/bin/perl #--------------------------------------------------------------------------- # Configuration options related to the dot tool @@ -1473,7 +1473,7 @@ CLASS_DIAGRAMS = YES # the mscgen tool resides. If left empty the tool is assumed to be found in the # default search path. -MSCGEN_PATH = +#MSCGEN_PATH = # If set to YES, the inheritance and collaboration graphs will hide # inheritance and usage relations if the target is undocumented |